[Freeipa-users] EXTERNAL: Re: ipa-replica-install errors
Joseph, Matthew (EXP)
matthew.joseph at lmco.com
Wed Apr 10 13:49:38 UTC 2013
Hey Rob,
Yes I've tried to do that. Everytime I try to run an ipa-replica-install I make sure I create a new replica file from the server.
Matt
-----Original Message-----
From: Rob Crittenden [mailto:rcritten at redhat.com]
Sent: Wednesday, April 10, 2013 10:47 AM
To: Joseph, Matthew (EXP); Nathan Kinder
Cc: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] EXTERNAL: Re: ipa-replica-install errors
Joseph, Matthew (EXP) wrote:
> Hey,
>
> I'm still trying to figure out this error but I am getting nothing.
>
> Anyone have any suggestions or ideas on why this is failing?
Is there a chance you're using a replica file prepared from a different IPA installation? I'd probably go ahead and use ipa-replica-prepare to create a new file and try installing that.
rob
>
> Matt
>
> *From:*freeipa-users-bounces at redhat.com
> [mailto:freeipa-users-bounces at redhat.com] *On Behalf Of *Joseph,
> Matthew
> (EXP)
> *Sent:* Monday, April 08, 2013 12:30 PM
> *To:* Nathan Kinder
> *Cc:* freeipa-users at redhat.com
> *Subject:* Re: [Freeipa-users] EXTERNAL: Re: ipa-replica-install
> errors
>
> Hey,
>
>
> Yup, the client side says the following;
>
> Op=-1 fd=64 closed - Peer does not recognize and trust the CA that
> issued your certificate.
>
> Matt
>
> *From:*Nathan Kinder [mailto:nkinder at redhat.com]
> *Sent:* Monday, April 08, 2013 12:28 PM
> *To:* Joseph, Matthew (EXP)
> *Cc:* freeipa-users at redhat.com
> *Subject:* Re: EXTERNAL: Re: [Freeipa-users] ipa-replica-install
> errors
>
> On 04/08/2013 07:16 AM, Joseph, Matthew (EXP) wrote:
>
> Hey,
>
> So on the IPA server under the access logs I am getting the
> following error.
>
> Error: could not send startTLS request: Error -11 (connect error)
> errno 0 (success)
>
> Any ideas?
>
> Does the access log on the receiving side show a connection attempt
> from the master at the same time? The access log will be located at
> /var/log/dirsrv/slapd-<DOMAIN>/access.
>
> -NGK
>
> Matt
>
> *From:*Nathan Kinder [mailto:nkinder at redhat.com]
> *Sent:* Thursday, April 04, 2013 6:00 PM
> *To:* Joseph, Matthew (EXP)
> *Cc:* freeipa-users at redhat.com <mailto:freeipa-users at redhat.com>
> *Subject:* EXTERNAL: Re: [Freeipa-users] ipa-replica-install errors
>
> On 04/04/2013 07:14 AM, Joseph, Matthew (EXP) wrote:
>
> Hello,
>
> I'm trying to setup a replica server with ipa-2.2.0-16 on both the
> Server and the Replica Server.
>
> Here are the steps I ran (From the Red Hat 6.3 IdM Administration
> Guide);
>
> ------------------------
>
> *IPA_Server:*
>
> ipa-replica-prepare ipareplica.example.com --ip-address
> 192.168.1.2
>
> scp /var/lib/ipa/replica-info-ipareplica.example.com.gpg root@
> ipareplica:/var/lib/ipa/
>
> *IPA_Replica:*
>
> ipa-replica-install --setup-ca --setup-dns
> /var/lib/ipa/replica-info-ipareplica.exam ple.com.gpg
>
> ------------------------------
>
> Below is the error I am getting when running ipa-replica-install;
>
> Directory Manager (existing master) password:
>
> Run connection check to master
>
> Check connection from replica to remote master 'IPA_Server.domain.ca':
>
> Directory Service: Unsecure port (389): OK
>
> Directory Service: Secure port (636): OK
>
> Kerberos KDC: TCP (88): OK
>
> Kerberos Kpasswd: TCP (464): OK
>
> HTTP Server: Unsecure port (80): OK
>
> HTTP Server: Secure port (443): OK
>
> PKI-CA: Directory Service port (7389): OK
>
> The following list of ports use UDP protocol and would need to be
>
> checked manually:
>
> Kerberos KDC: UDP (88): SKIPPED
>
> Kerberos Kpasswd: UDP (464): SKIPPED
>
> Connection from replica to master is OK.
>
> Start listening on required ports for remote master check
>
> Get credentials to log in to remote master
>
> admin at domain.ca <mailto:admin at domain.ca> password:
>
> Execute check on remote master
>
> Check connection from master to remote replica 'IPA_Replica.domain.ca':
>
> Directory Service: Unsecure port (389): OK
>
> Directory Service: Secure port (636): OK
>
> Kerberos KDC: TCP (88): OK
>
> Kerberos KDC: UDP (88): OK
>
> Kerberos Kpasswd: TCP (464): OK
>
> Kerberos Kpasswd: UDP (464): OK
>
> HTTP Server: Unsecure port (80): OK
>
> HTTP Server: Secure port (443): OK
>
> PKI-CA: Directory Service port (7389): OK
>
> Connection from master to replica is OK.
>
> Connection check OK
>
> Configuring ntpd
>
> [1/4]: stopping ntpd
>
> [2/4]: writing configuration
>
> [3/4]: configuring ntpd to start on boot
>
> [4/4]: starting ntpd
>
> done configuring ntpd.
>
> Configuring directory server for the CA: Estimated time 30 seconds
>
> [1/3]: creating directory server user
>
> [2/3]: creating directory server instance
>
> [3/3]: restarting directory server
>
> done configuring pkids.
>
> Configuring certificate server: Estimated time 3 minutes 30
> seconds
>
> [1/13]: creating certificate server user
>
> [2/13]: creating pki-ca instance
>
> [3/13]: configuring certificate server instance
>
> [4/13]: disabling nonces
>
> [5/13]: creating RA agent certificate database
>
> [6/13]: importing CA chain to RA certificate database
>
> [7/13]: fixing RA database permissions
>
> [8/13]: setting up signing cert profile
>
> [9/13]: set up CRL publishing
>
> [10/13]: set certificate subject base
>
> [11/13]: enabling Subject Key Identifier
>
> [12/13]: configuring certificate server to start on boot
>
> [13/13]: Configure HTTP to proxy connections
>
> done configuring pki-cad.
>
> Restarting the directory and certificate servers
>
> Configuring directory server: Estimated time 1 minute
>
> [1/30]: creating directory server user
>
> [2/30]: creating directory server instance
>
> [3/30]: adding default schema
>
> [4/30]: enabling memberof plugin
>
> [5/30]: enabling referential integrity plugin
>
> [6/30]: enabling winsync plugin
>
> [7/30]: configuring replication version plugin
>
> [8/30]: enabling IPA enrollment plugin
>
> [9/30]: enabling ldapi
>
> [10/30]: configuring uniqueness plugin
>
> [11/30]: configuring uuid plugin
>
> [12/30]: configuring modrdn plugin
>
> [13/30]: enabling entryUSN plugin
>
> [14/30]: configuring lockout plugin
>
> [15/30]: creating indices
>
> [16/30]: configuring ssl for ds instance
>
> [17/30]: configuring certmap.conf
>
> [18/30]: configure autobind for root
>
> [19/30]: configure new location for managed entries
>
> [20/30]: restarting directory server
>
> [21/30]: setting up initial replication
>
> Starting replication, please wait until this has completed.
>
> [IPA_Server.domain.ca] reports: Update failed! Status: [-11 -
> System error]
>
> creation of replica failed: Failed to start replication
>
> Also in the error log(/var/log/dirsrv/slapd-DOMAIN-CA/errors) is the
> following error;
>
> NSMMReplicationPlugin - agmt="cn=metoIPA_Server.domain.ca"
> (ipa_server:389): Replica has a different generation ID than the
> local data.
>
> This is probably just fallout from the replica initialization failure.
> If a replica is never initialized, it will get a generation ID
> mismatch error when the master contacts it.
>
> Any thoughts or ideas on this issue? Searching google I don't see
> anyone getting the Status:-11 - System Error.
>
> There was a bug in 389-ds-base that was fixed a while back where
> negative LDAP error codes were all printed as "System Error". The -11
> is a connection error. Here is how it is defined in /usr/include/ldap.h:
>
> #define LDAP_CONNECT_ERROR (-11)
>
> It sounds like this connection error is occurring when it tries to
> initialize the replica. It might help to enable replication level
> logging on the master, then trying to run ipa-replica-install again.
> The errors in the 389 DS errors log might point to the problem. To
> enable replication level logging, you can perform the following
> operation with ldapmodify as "cn=Directory Manager":
>
> ------------------------------------------
> dn: cn=config
> changetype: modify
> replace: nsslapd-errorlog-level
> nsslapd-errorlog-level: 8192
> ------------------------------------------
>
> When you are finished debugging the issue, don't forget to change the
> log level back to "0".
>
> -NGK
>
> Thanks,
>
> Matt
>
>
>
>
> _______________________________________________
>
> Freeipa-users mailing list
>
> Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
More information about the Freeipa-users
mailing list